ISACA. CISA Practice Questions 2009 All
Подождите немного. Документ загружается.
B
、
Address Resolution Protocol (ARP)
C
、
Routing Information Protocol (RIP)
D
、
Transmission Control Protocol (TCP)
ANSWER:B
NOTE:Address Resolution Protocol (ARP) provides dynamic address mapping
between an IP address and hardware address. Simple Object Access Protocol
(SOAP) is a platform-independent XML-based protocol, enabling applications
to communicate with each other over the Internet, and does not deal with
media access control (MAC) addresses. Routing Information Protocol (RIP)
specifies how routers exchange routing table information. Transmission
Control Protocol (TCP) enables two hosts to establish a connection and
exchange streams of data.
490
、
Which of the following types of transmission media provide the BEST
security against unauthorized access?
A
、
Copper wire
B
、
Twisted pair
C
、
Fiberoptic cables
D
、
Coaxial cables
ANSWER:C
NOTE:Fiberoptic cables have proven to be more secure than the other media.
Satellite transmission and copper wire can be violated with inexpensive
equipment. Coaxial cable can also be violated more easily than other
transmission media.
491
、
Which of the following is the MOST important function to be
performed by IS management when a service has been outsourced?
A
、
Ensuring that invoices are paid to the provider
B
、
Participating in systems design with the provider
C
、
Renegotiating the provider's fees
D
、
Monitoring the outsourcing provider's performance
ANSWER:D
NOTE:In an outsourcing environment, the company is dependent on the
performance of the service provider. Therefore, it is critical the
outsourcing provider's performance be monitored to ensure that services
are delivered to the company as required. Payment of invoices is a finance
function, which would be completed per contractual requirements.
Participating in systems design is a byproduct of monitoring the
outsourcing provider's performance, while renegotiating fees is usually a
one-time activity.
492
、
Which of the following cryptography options would increase
overhead/cost?
A
、
The encryption is symmetric rather than asymmetric.
B
、
A long asymmetric encryption key is used.
C
、
The hash is encrypted rather than the message.
D
、
A secret key is used.
ANSWER:B
NOTE:Computer processing time is increased for longer asymmetric
encryption keys, and the increase may be disproportionate. For example,
one benchmark showed that doubling the length of an RSA key from 512 bits
to 1,024 bits caused the decrypt time to increase nearly six-fold. An
asymmetric algorithm requires more processing time than symmetric
algorithms. A hash is shorter than the original message; therefore, a
smaller overhead is required if the hash is encrypted rather than the
message. Use of a secret key, as a symmetric encryption key, is generally
small and used for the purpose of encrypting user data.
493
、
When performing an audit of a client relationship management (CRM)
system migration project, which of the following should be of GREATEST
concern to an IS auditor?
A
、
The technical migration is planned for a Friday preceding a long
weekend, and the time window is too short for completing all tasks.
B
、
Employees pilot-testing the system are concerned that the data
representation in the new system is completely different from the old
system.
C
、
A single implementation is planned, immediately decommissioning the
legacy system.
D
、
Five weeks prior to the target date, there are still numerous
defects in the printing functionality of the new system's software.
ANSWER:C
NOTE:Major system migrations should include a phase of parallel operation
or a phased cut-over to reduce implementation risks. Decommissioning or
disposing of the old hardware would complicate any fallback strategy,
should the new system not operate correctly. A weekend can be used as a
time buffer so that the new system will have a better chance of being up
and running after the weekend. A different data representation does not
mean different data presentation at the front end. Even when this is the
case, this issue can be solved by adequate training and user support. The
printing functionality is commonly one of the last functions to be tested
in a new system because it is usually the last step performed in any
business event. Thus, meaningful testing and the respective error fixing
are only possible after all other parts of the software have been
successfully tested.
494
、
A live test of a mutual agreement for IT system recovery has been
carried out, including a four-hour test of intensive usage by the business
units. The test has been successful, but gives only partial assurance that
the:
A
、
system and the IT operations team can sustain operations in the
emergency environment.
B
、
resources and the environment could sustain the transaction load.
C
、
connectivity to the applications at the remote site meets response
time requirements.
D
、
workflow of actual business operations can use the emergency system
in case of a disaster.
ANSWER:A
NOTE:The applications have been intensively operated, therefore choices B,
C and D have been actually tested, but the capability of the system and
the IT operations team to sustain and support this environment (ancillary
operations, batch closing, error corrections, output distribution, etc.)
is only partially tested.
495
、
Failure in which of the following testing stages would have the
GREATEST impact on the implementation of new application software?
A
、
System testing
B
、
Acceptance testing
C
、
Integration testing
D
、
Unit testing
ANSWER:B
NOTE:Acceptance testing is the final stage before the software is
installed and is available for use. The greatest impact would occur if the
software fails at the acceptance testing level, as this could result in
delays and cost overruns. System testing is undertaken by the developer
team to determine if the software meets user requirements per
specifications. Integration testing examines the units/modules as one
integrated system and unit testing examines the individual units or
components of the software. System, integration and unit testing are all
performed by the developers at various stages of development; the impact
of failure is comparatively less for each than failure at the acceptance
testing stage.
496
、
Which of the following is an example of a passive attack initiated
through the Internet?
A
、
Traffic analysis
B
、
Masquerading
C
、
Denial of service
D
、
E-mail spoofing
ANSWER:A
NOTE:Internet security threats/vulnerabilities are divided into passive
and active attacks. Examples of passive attacks include network analysis,
eavesdropping and traffic analysis. Active attacks include brute force
attacks, masquerading, packet replay, message modification, unauthorized
access through the Internet or web-based services, denial-of-service
attacks, dial-in penetration attacks, e-mail bombing and spamming, and
e-mail spoofing.
497
、
Which of the following types of testing would determine whether a
new or modified system can operate in its target environment without
adversely impacting other existing systems?
A
、
Parallel testing
B
、
Pilot testing
C
、
Interface/integration testing
D
、
Sociability testing
ANSWER:D
NOTE:The purpose of sociability testing is to confirm that a new or
modified system can operate in its target environment without adversely
impacting existing systems. This should cover the platform that will
perform primary application processing and interfaces with other systems,
as well as changes to the desktop in a client-server or web development.
Parallel testing is the process of feeding data into two systems—the
modified system and an alternate system—and comparing the results. In this
approach, the old and new systems operate concurrently for a period of
time and perform the same processing functions. Pilot testing takes place
first at one location and is then extended to other locations. The purpose
is to see if the new system operates satisfactorily in one place before
implementing it at other locations. Interface/integration testing is a
hardware or software test that evaluates the connection of two or more
components that pass information from one area to another. The objective
is to take unit-tested modules and build an integrated structure.
498
、
Which of the following would help to ensure the portability of an
application connected to a database?
A
、
Verification of database import and export procedures
B
、
Usage of a structured query language (SQL)
C
、
Analysis of stored procedures/triggers
D
、
Synchronization of the entity-relation model with the database
physical schema
ANSWER:B
NOTE:The use of SQL facilitates portability. Verification of import and
export procedures with other systems ensures better interfacing with other
systems, analyzing stored procedures/triggers ensures proper
access/performance, and reviewing the design entity-relation model will be
helpful, but none of these contribute to the portability of an application
connecting to a database.
499
、
Disaster recovery planning (DRP) addresses the:
A
、
technological aspect of business continuity planning.
B
、
operational piece of business continuity planning.
C
、
functional aspect of business continuity planning.
D
、
overall coordination of business continuity planning.
ANSWER:A
NOTE:Disaster recovery planning (DRP) is the technological aspect of
business continuity planning. Business resumption planning addresses the
operational part of business continuity planning.
500
、
Which of the following would be the MOST significant audit finding
when reviewing a point-of-sale (POS) system?
A
、
Invoices recorded on the POS system are manually entered into an
accounting application
B
、
An optical scanner is not used to read bar codes for the generation
of sales invoices
C
、
Frequent power outages occur, resulting in the manual preparation of
invoices
D
、
Customer credit card information is stored unencrypted on the local
POS system
ANSWER:D
NOTE:It is important for the IS auditor to determine if any credit card
information is stored on the local point-of-sale (POS) system. Any such
information, if stored, should be encrypted or protected by other means to
avoid the possibility of unauthorized disclosure. Manually inputting sale
invoices into the accounting application is an operational issue. If the
POS system were to be interfaced with the financial accounting
application, the overall efficiency could be improved. The nonavailability
of optical scanners to read bar codes of the products and power outages
are operational issues.
501
、
When developing a formal enterprise security program, the MOST
critical success factor (CSF) would be the:
A
、
establishment of a review board.
B
、
creation of a security unit.
C
、
effective support of an executive sponsor.
D
、
selection of a security process owner.
ANSWER:C
NOTE:The executive sponsor would be in charge of supporting the
organization's strategic security program, and would aid in directing the
organization's overall security management activities. Therefore, support
by the executive level of management is the most critical success factor
(CSF). None of the other choices are effective without visible sponsorship
of top management.
502
、
With respect to business continuity strategies, an IS auditor
interviews key stakeholders in an organization to determine whether they
understand their roles and responsibilities. The IS auditor is attempting
to evaluate the:
A
、
clarity and simplicity of the business continuity plans.
B
、
adequacy of the business continuity plans.
C
、
effectiveness of the business continuity plans.
D
、
ability of IS and end-user personnel to respond effectively in
emergencies.
ANSWER:A
NOTE:The IS auditor should interview key stakeholders to evaluate how well
they understand their roles and responsibilities. When all stakeholders
have a detailed understanding of their roles and responsibilities in the
event of a disaster, an IS auditor can deem the business continuity plan
to be clear and simple. To evaluate adequacy, the IS auditor should review
the plans and compare them to appropriate standards. To evaluate
effectiveness, the IS auditor should review the results from previous
tests. This is the best determination for the evaluation of effectiveness.
An understanding of roles and responsibilities by key stakeholders will
assist in ensuring the business continuity plan is effective. To evaluate
the response, the IS auditor should review results of continuity tests.
This will provide the IS auditor with assurance that target and recovery
times are met. Emergency procedures and employee training need to be
reviewed to determine whether the organization had implemented plans to
allow for the effective response.
503
、
IT operations for a large organization have been outsourced. An IS
auditor reviewing the outsourced operation should be MOST concerned about
which of the following findings?
A
、
The outsourcing contract does not cover disaster recovery for the
outsourced IT operations.
B
、
The service provider does not have incident handling procedures.
C
、
Recently a corrupted database could not be recovered because of
library management problems.
D
、
Incident logs are not being reviewed.
ANSWER:A
NOTE:The lack of a disaster recovery provision presents a major business
risk. Incorporating such a provision into the contract will provide the
outsourcing organization leverage over the service provider. Choices B, C
and D are problems that should be addressed by the service provider, but
are not as important as contract requirements for disaster recovery.
504
、
A disaster recovery plan for an organization should:
A
、
reduce the length of the recovery time and the cost of recovery.
B
、
increase the length of the recovery time and the cost of recovery.
C
、
reduce the duration of the recovery time and increase the cost of
recovery.
D
、
affect neither the recovery time nor the cost of recovery.
ANSWER:A
NOTE:One of the objectives of a disaster recovery plan is to reduce the
duration and cost of recovering from a disaster. A disaster recovery plan
would increase the cost of operations before and after the disaster
occurs, but should reduce the time to return to normal operations and the
cost that could result from a disaster.
505
、
In auditing a web server, an IS auditor should be concerned about
the risk of individuals gaining unauthorized access to confidential
information through:
A
、
common gateway interface (CGI) scripts.
B
、
enterprise java beans (EJBs).
C
、
applets.
D
、
web services.
ANSWER:A
NOTE:Common gateway interface (CGI) scripts are executable machine
independent software programs on the server that can be called and
executed by a web server page. CGI performs specific tasks such as
processing inputs received from clients. The use of CGI scripts needs to
be evaluated, because as they run in the server, a bug in them may allow a
user to gain unauthorized access to the server and from there gain access
to the organization's network. Applets are programs downloaded from a web
server and executed on web browsers on client machines to run any
web-based applications. Enterprise java beans (EJBs) and web services have
to be deployed by the web server administrator and are controlled by the
application server. Their execution requires knowledge of the parameters
and expected return values.
506
、
When performing a database review, an IS auditor notices that some
tables in the database are not normalized. The IS auditor should next:
A
、
recommend that the database be normalized.
B
、
review the conceptual data model.
C
、
review the stored procedures.
D
、
review the justification.
ANSWER:D
NOTE:If the database is not normalized, the IS auditor should review the
justification since, in some situations, denormalization is recommended
for performance reasons. The IS auditor should not recommend normalizing
the database until further investigation takes place. Reviewing the
conceptual data model or the stored procedures will not provide
information about normalization.
507
、
An organization is implementing an enterprise resource planning
(ERP) application to meet its business objectives. Of the following, who
is PRIMARILY responsible for overseeing the project in order to ensure
that it is progressing in accordance with the project plan and that it
will deliver the expected results?
A
、
Project sponsor
B
、
System development project team (SPDT)
C
、
Project steering committee
D
、
User project team (UPT)
ANSWER:C
NOTE:A project steering committee that provides an overall direction for
the enterprise resource planning (ERP) implementation project is
responsible for reviewing the project's progress to ensure that it will
deliver the expected results. A project sponsor is typically the senior
manager in charge of the primary business unit that the application will
support. The sponsor provides funding for the project and works closely
with the project manager to define the critical success factors or metrics
for the project. The project sponsor is not responsible for reviewing the
progress of the project. A system development project team (SDPT)
completes the assigned tasks, works according to the instructions of the
project manager and communicates with the user project team. The SDPT is
not responsible for reviewing the progress of the project. A user project
team (UPT) completes the assigned tasks, communicates effectively with the
system development team and works according to the advice of the project
manager. A UPT is not responsible for reviewing the progress of the
project.
508
、
To support an organization's goals, an IS department should have:
A
、
a low-cost philosophy.
B
、
long- and short-range plans.
C
、
leading-edge technology.
D
、
plans to acquire new hardware and software.
ANSWER:B
NOTE:To ensure its contribution to the realization of an organization's
overall goals, the IS department should have long- and short-range plans
that are consistent with the organization's broader plans for attaining
its goals. Choices A and C are objectives, and plans would be needed to
delineate how each of the objectives would be achieved. Choice D could be
a part of the overall plan but would be required only if hardware or
software is needed to achieve the organizational goals.
509
、
After initial investigation, an IS auditor has reasons to believe
that fraud may be present. The IS auditor should:
A
、
expand activities to determine whether an investigation is
warranted.
B
、
report the matter to the audit committee.
C
、
report the possibility of fraud to top management and ask how they
would like to proceed.
D
、
consult with external legal counsel to determine the course of
action to be taken.
ANSWER:A
NOTE:An IS auditor's responsibilities for detecting fraud include
evaluating fraud indicators and deciding whether any additional action is
necessary or whether an investigation should be recommended. The IS
auditor should notify the appropriate authorities within the organization
only if it has determined that the indicators of fraud are sufficient to
recommend an investigation. Normally, the IS auditor does not have
authority to consult with external legal counsel.
510
、
Many IT projects experience problems because the development time
and/or resource requirements are underestimated. Which of the following
techniques would provide the GREATEST assistance in developing an estimate
of project duration?
A
、
Function point analysis
B
、
PERT chart
C
、
Rapid application development
D
、
Object-oriented system development
ANSWER:B
NOTE:A PERT chart will help determine project duration once all the
activities and the work involved with those activities are known. Function
point analysis is a technique for determining the size of a development
task based on the number of function points. Function points are factors
such as inputs, outputs, inquiries, logical internal files, etc. While
this will help determine the size of individual activities, it will not
assist in determining project duration since there are many overlapping
tasks. Rapid application development is a methodology that enables
organizations to develop strategically important systems faster while
reducing development costs and maintaining quality, while object-oriented
system development is the process of solution specification and modeling.